View Full Version : double quotes crash Phpdig

10-03-2003, 09:18 AM
+ exact words
+ "reference documentation" in quotes

Search for test (http://www.phpdig.net/demo/search.php?template_demo=.%2Ftemplates%2Fphpdig.html&site=0&path=&result_page=search.php&query_string=%22reference+documentation%22&search=Go...&limite=10&option=exact)

mysql_num_rows(): supplied argument is not a valid MySQL result resource on libs/search_function.php in line 164

Possible solution:
In Line 53: quotes and other things which crashes a MySQL-Query must delete.

10-04-2003, 02:29 PM

I'm not sure, but can this bug cause a critical SQL insertion with a "drop table" query ?

For example if the searched words are like this :

none';drop table keywords;select * from keywords where etc...


10-05-2003, 12:52 PM
Hi. Please check and see if you can break it again. Thanks.

10-05-2003, 01:22 PM
Edit for Solution :

After chekcing, there is no possibilty to include SQL code. But there is effectivly a bug as Roland said.

All quotes are badly stripped.

At the begining "reference documentation" is transformed in \"reference documentation\".

At line #100 in search_function.php it's then transformed in \reference documentation\ (quotes disappear).

Then, each word, separated by a space, is used in a query. In Roland's case, this give two queries with :

.... AND k.keyword like '\reference%'
.... AND k.keyword like 'documentation\%'

Of course, this cause mySql to fail.

IMHO, a solution could be around lines 97-103.


10-05-2003, 03:20 PM
Hi. In search_function.php find:

$query_to_parse = trim(ereg_replace(" +"," ",$query_to_parse)); // no more than 1 blank

and before it add:

if (eregi("[^[:alnum:]^ +]+",$query_to_parse)) { $query_to_parse = eregi_replace("[^[:alnum:]^ ]+"," ",$query_to_parse); }

Also, in search_function.php find:

$kconds[$ncrit] .= " AND k.keyword ".$like_operator[$option]." '".$like_start[$option].$regs[2].$like_end[$option]."' ";

and replace with:

$kconds[$ncrit] .= " AND k.keyword ".$like_operator[$option]." '".$like_start[$option].stripslashes($regs[2]).$like_end[$option]."' ";

Of course, remove any "word" wrapping in the above code. ;)

10-15-2003, 07:52 AM
hey, i just wanted to post that bug, but fortunately there's a solution already. great. thanks. :-)

10-21-2003, 02:40 PM
Thanks for the solution with the double quotes. Much appreciated. It worked for me.:D

10-24-2003, 01:40 PM
I have yet to test it, but I am pretty sure anyone can inject mysql queries into the search field. Sorry I have not researched the code on my own, I am hoping someone else has already done that effort.

Also, I have wrote some code that allows regex searches. Is there an easy way to submit a diff?

10-24-2003, 04:36 PM
Hi. The code eregi_replace("[^[:alnum:]^ ]+"," ",$query_to_parse); takes everything that is not a number, letter, or space and replaces it with a space. This happens before $kconds[$ncrit] is formed, where $kconds[$ncrit] is used to make the mysql query from the search field. Please do examine the code. The more eyes, the better.

The regex code sounds cool. Please post it in the Mod Submissions (http://www.phpdig.net/forumdisplay.php?forumid=24) forum.